A security policy is a policy that is configured on a network traffic control device, for example, a network firewall, a security gateway, or an intrusion detection device, and that is used for forwarding a data stream and detecting content security. The security policy usually includes a match condition and a policy action. The match condition refers to a determining condition used for determining whether a data stream matches the security policy; the policy action refers to an action that needs to be performed on the data stream when it is determined, according to the match condition, that the data stream matches the security policy, including permit (permit) and deny (deny).
The network traffic control device can identify an attribute of a data stream, and perform matching between the attribute of the data stream and match conditions of the security policy. If all the match conditions are matched, the data stream successfully matches the security policy. After the data stream matches the security policy, the device executes the policy action of the security policy.
There are many configurable parameters in the match condition of the security policy, including source and destination security zones, source and destination addresses, a user, a service, an application, a time segment, and the like. These parameters may define, in different combination manners, data streams having a same nature. For example, if an employee of a human resource department may use a QQ application, the security policy may be configured as follows: source=“human resource department”; destination=any network (any); application=“QQ”; action=“permit”.
Generally, a security policy is manually configured and maintained by an administrator according to experience of the administrator and a user's feedback, which causes a problem of great configuration difficulty and liability to error. This problem is particularly acute for medium- and small-sized enterprises in which administrators have relatively low skills.